Autogenerated HTML docs for v2.43.0-440-gb50a60
[git-htmldocs.git] / howto / coordinate-embargoed-releases.html
blob8abc4517f9ace41bb184e8365d58143dfc55e809
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
3 "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
4 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
5 <head>
6 <meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />
7 <meta name="generator" content="AsciiDoc 10.2.0" />
8 <title></title>
9 <style type="text/css">
10 /* Shared CSS for AsciiDoc xhtml11 and html5 backends */
12 /* Default font. */
13 body {
14 font-family: Georgia,serif;
17 /* Title font. */
18 h1, h2, h3, h4, h5, h6,
19 div.title, caption.title,
20 thead, p.table.header,
21 #toctitle,
22 #author, #revnumber, #revdate, #revremark,
23 #footer {
24 font-family: Arial,Helvetica,sans-serif;
27 body {
28 margin: 1em 5% 1em 5%;
31 a {
32 color: blue;
33 text-decoration: underline;
35 a:visited {
36 color: fuchsia;
39 em {
40 font-style: italic;
41 color: navy;
44 strong {
45 font-weight: bold;
46 color: #083194;
49 h1, h2, h3, h4, h5, h6 {
50 color: #527bbd;
51 margin-top: 1.2em;
52 margin-bottom: 0.5em;
53 line-height: 1.3;
56 h1, h2, h3 {
57 border-bottom: 2px solid silver;
59 h2 {
60 padding-top: 0.5em;
62 h3 {
63 float: left;
65 h3 + * {
66 clear: left;
68 h5 {
69 font-size: 1.0em;
72 div.sectionbody {
73 margin-left: 0;
76 hr {
77 border: 1px solid silver;
80 p {
81 margin-top: 0.5em;
82 margin-bottom: 0.5em;
85 ul, ol, li > p {
86 margin-top: 0;
88 ul > li { color: #aaa; }
89 ul > li > * { color: black; }
91 .monospaced, code, pre {
92 font-family: "Courier New", Courier, monospace;
93 font-size: inherit;
94 color: navy;
95 padding: 0;
96 margin: 0;
98 pre {
99 white-space: pre-wrap;
102 #author {
103 color: #527bbd;
104 font-weight: bold;
105 font-size: 1.1em;
107 #email {
109 #revnumber, #revdate, #revremark {
112 #footer {
113 font-size: small;
114 border-top: 2px solid silver;
115 padding-top: 0.5em;
116 margin-top: 4.0em;
118 #footer-text {
119 float: left;
120 padding-bottom: 0.5em;
122 #footer-badges {
123 float: right;
124 padding-bottom: 0.5em;
127 #preamble {
128 margin-top: 1.5em;
129 margin-bottom: 1.5em;
131 div.imageblock, div.exampleblock, div.verseblock,
132 div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
133 div.admonitionblock {
134 margin-top: 1.0em;
135 margin-bottom: 1.5em;
137 div.admonitionblock {
138 margin-top: 2.0em;
139 margin-bottom: 2.0em;
140 margin-right: 10%;
141 color: #606060;
144 div.content { /* Block element content. */
145 padding: 0;
148 /* Block element titles. */
149 div.title, caption.title {
150 color: #527bbd;
151 font-weight: bold;
152 text-align: left;
153 margin-top: 1.0em;
154 margin-bottom: 0.5em;
156 div.title + * {
157 margin-top: 0;
160 td div.title:first-child {
161 margin-top: 0.0em;
163 div.content div.title:first-child {
164 margin-top: 0.0em;
166 div.content + div.title {
167 margin-top: 0.0em;
170 div.sidebarblock > div.content {
171 background: #ffffee;
172 border: 1px solid #dddddd;
173 border-left: 4px solid #f0f0f0;
174 padding: 0.5em;
177 div.listingblock > div.content {
178 border: 1px solid #dddddd;
179 border-left: 5px solid #f0f0f0;
180 background: #f8f8f8;
181 padding: 0.5em;
184 div.quoteblock, div.verseblock {
185 padding-left: 1.0em;
186 margin-left: 1.0em;
187 margin-right: 10%;
188 border-left: 5px solid #f0f0f0;
189 color: #888;
192 div.quoteblock > div.attribution {
193 padding-top: 0.5em;
194 text-align: right;
197 div.verseblock > pre.content {
198 font-family: inherit;
199 font-size: inherit;
201 div.verseblock > div.attribution {
202 padding-top: 0.75em;
203 text-align: left;
205 /* DEPRECATED: Pre version 8.2.7 verse style literal block. */
206 div.verseblock + div.attribution {
207 text-align: left;
210 div.admonitionblock .icon {
211 vertical-align: top;
212 font-size: 1.1em;
213 font-weight: bold;
214 text-decoration: underline;
215 color: #527bbd;
216 padding-right: 0.5em;
218 div.admonitionblock td.content {
219 padding-left: 0.5em;
220 border-left: 3px solid #dddddd;
223 div.exampleblock > div.content {
224 border-left: 3px solid #dddddd;
225 padding-left: 0.5em;
228 div.imageblock div.content { padding-left: 0; }
229 span.image img { border-style: none; vertical-align: text-bottom; }
230 a.image:visited { color: white; }
232 dl {
233 margin-top: 0.8em;
234 margin-bottom: 0.8em;
236 dt {
237 margin-top: 0.5em;
238 margin-bottom: 0;
239 font-style: normal;
240 color: navy;
242 dd > *:first-child {
243 margin-top: 0.1em;
246 ul, ol {
247 list-style-position: outside;
249 ol.arabic {
250 list-style-type: decimal;
252 ol.loweralpha {
253 list-style-type: lower-alpha;
255 ol.upperalpha {
256 list-style-type: upper-alpha;
258 ol.lowerroman {
259 list-style-type: lower-roman;
261 ol.upperroman {
262 list-style-type: upper-roman;
265 div.compact ul, div.compact ol,
266 div.compact p, div.compact p,
267 div.compact div, div.compact div {
268 margin-top: 0.1em;
269 margin-bottom: 0.1em;
272 tfoot {
273 font-weight: bold;
275 td > div.verse {
276 white-space: pre;
279 div.hdlist {
280 margin-top: 0.8em;
281 margin-bottom: 0.8em;
283 div.hdlist tr {
284 padding-bottom: 15px;
286 dt.hdlist1.strong, td.hdlist1.strong {
287 font-weight: bold;
289 td.hdlist1 {
290 vertical-align: top;
291 font-style: normal;
292 padding-right: 0.8em;
293 color: navy;
295 td.hdlist2 {
296 vertical-align: top;
298 div.hdlist.compact tr {
299 margin: 0;
300 padding-bottom: 0;
303 .comment {
304 background: yellow;
307 .footnote, .footnoteref {
308 font-size: 0.8em;
311 span.footnote, span.footnoteref {
312 vertical-align: super;
315 #footnotes {
316 margin: 20px 0 20px 0;
317 padding: 7px 0 0 0;
320 #footnotes div.footnote {
321 margin: 0 0 5px 0;
324 #footnotes hr {
325 border: none;
326 border-top: 1px solid silver;
327 height: 1px;
328 text-align: left;
329 margin-left: 0;
330 width: 20%;
331 min-width: 100px;
334 div.colist td {
335 padding-right: 0.5em;
336 padding-bottom: 0.3em;
337 vertical-align: top;
339 div.colist td img {
340 margin-top: 0.3em;
343 @media print {
344 #footer-badges { display: none; }
347 #toc {
348 margin-bottom: 2.5em;
351 #toctitle {
352 color: #527bbd;
353 font-size: 1.1em;
354 font-weight: bold;
355 margin-top: 1.0em;
356 margin-bottom: 0.1em;
359 div.toclevel0, div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
360 margin-top: 0;
361 margin-bottom: 0;
363 div.toclevel2 {
364 margin-left: 2em;
365 font-size: 0.9em;
367 div.toclevel3 {
368 margin-left: 4em;
369 font-size: 0.9em;
371 div.toclevel4 {
372 margin-left: 6em;
373 font-size: 0.9em;
376 span.aqua { color: aqua; }
377 span.black { color: black; }
378 span.blue { color: blue; }
379 span.fuchsia { color: fuchsia; }
380 span.gray { color: gray; }
381 span.green { color: green; }
382 span.lime { color: lime; }
383 span.maroon { color: maroon; }
384 span.navy { color: navy; }
385 span.olive { color: olive; }
386 span.purple { color: purple; }
387 span.red { color: red; }
388 span.silver { color: silver; }
389 span.teal { color: teal; }
390 span.white { color: white; }
391 span.yellow { color: yellow; }
393 span.aqua-background { background: aqua; }
394 span.black-background { background: black; }
395 span.blue-background { background: blue; }
396 span.fuchsia-background { background: fuchsia; }
397 span.gray-background { background: gray; }
398 span.green-background { background: green; }
399 span.lime-background { background: lime; }
400 span.maroon-background { background: maroon; }
401 span.navy-background { background: navy; }
402 span.olive-background { background: olive; }
403 span.purple-background { background: purple; }
404 span.red-background { background: red; }
405 span.silver-background { background: silver; }
406 span.teal-background { background: teal; }
407 span.white-background { background: white; }
408 span.yellow-background { background: yellow; }
410 span.big { font-size: 2em; }
411 span.small { font-size: 0.6em; }
413 span.underline { text-decoration: underline; }
414 span.overline { text-decoration: overline; }
415 span.line-through { text-decoration: line-through; }
417 div.unbreakable { page-break-inside: avoid; }
421 * xhtml11 specific
423 * */
425 div.tableblock {
426 margin-top: 1.0em;
427 margin-bottom: 1.5em;
429 div.tableblock > table {
430 border: 3px solid #527bbd;
432 thead, p.table.header {
433 font-weight: bold;
434 color: #527bbd;
436 p.table {
437 margin-top: 0;
439 /* Because the table frame attribute is overridden by CSS in most browsers. */
440 div.tableblock > table[frame="void"] {
441 border-style: none;
443 div.tableblock > table[frame="hsides"] {
444 border-left-style: none;
445 border-right-style: none;
447 div.tableblock > table[frame="vsides"] {
448 border-top-style: none;
449 border-bottom-style: none;
454 * html5 specific
456 * */
458 table.tableblock {
459 margin-top: 1.0em;
460 margin-bottom: 1.5em;
462 thead, p.tableblock.header {
463 font-weight: bold;
464 color: #527bbd;
466 p.tableblock {
467 margin-top: 0;
469 table.tableblock {
470 border-width: 3px;
471 border-spacing: 0px;
472 border-style: solid;
473 border-color: #527bbd;
474 border-collapse: collapse;
476 th.tableblock, td.tableblock {
477 border-width: 1px;
478 padding: 4px;
479 border-style: solid;
480 border-color: #527bbd;
483 table.tableblock.frame-topbot {
484 border-left-style: hidden;
485 border-right-style: hidden;
487 table.tableblock.frame-sides {
488 border-top-style: hidden;
489 border-bottom-style: hidden;
491 table.tableblock.frame-none {
492 border-style: hidden;
495 th.tableblock.halign-left, td.tableblock.halign-left {
496 text-align: left;
498 th.tableblock.halign-center, td.tableblock.halign-center {
499 text-align: center;
501 th.tableblock.halign-right, td.tableblock.halign-right {
502 text-align: right;
505 th.tableblock.valign-top, td.tableblock.valign-top {
506 vertical-align: top;
508 th.tableblock.valign-middle, td.tableblock.valign-middle {
509 vertical-align: middle;
511 th.tableblock.valign-bottom, td.tableblock.valign-bottom {
512 vertical-align: bottom;
517 * manpage specific
519 * */
521 body.manpage h1 {
522 padding-top: 0.5em;
523 padding-bottom: 0.5em;
524 border-top: 2px solid silver;
525 border-bottom: 2px solid silver;
527 body.manpage h2 {
528 border-style: none;
530 body.manpage div.sectionbody {
531 margin-left: 3em;
534 @media print {
535 body.manpage div#toc { display: none; }
539 </style>
540 <script type="text/javascript">
541 /*<![CDATA[*/
542 var asciidoc = { // Namespace.
544 /////////////////////////////////////////////////////////////////////
545 // Table Of Contents generator
546 /////////////////////////////////////////////////////////////////////
548 /* Author: Mihai Bazon, September 2002
549 * http://students.infoiasi.ro/~mishoo
551 * Table Of Content generator
552 * Version: 0.4
554 * Feel free to use this script under the terms of the GNU General Public
555 * License, as long as you do not remove or alter this notice.
558 /* modified by Troy D. Hanson, September 2006. License: GPL */
559 /* modified by Stuart Rackham, 2006, 2009. License: GPL */
561 // toclevels = 1..4.
562 toc: function (toclevels) {
564 function getText(el) {
565 var text = "";
566 for (var i = el.firstChild; i != null; i = i.nextSibling) {
567 if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
568 text += i.data;
569 else if (i.firstChild != null)
570 text += getText(i);
572 return text;
575 function TocEntry(el, text, toclevel) {
576 this.element = el;
577 this.text = text;
578 this.toclevel = toclevel;
581 function tocEntries(el, toclevels) {
582 var result = new Array;
583 var re = new RegExp('[hH]([1-'+(toclevels+1)+'])');
584 // Function that scans the DOM tree for header elements (the DOM2
585 // nodeIterator API would be a better technique but not supported by all
586 // browsers).
587 var iterate = function (el) {
588 for (var i = el.firstChild; i != null; i = i.nextSibling) {
589 if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
590 var mo = re.exec(i.tagName);
591 if (mo && (i.getAttribute("class") || i.getAttribute("className")) != "float") {
592 result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
594 iterate(i);
598 iterate(el);
599 return result;
602 var toc = document.getElementById("toc");
603 if (!toc) {
604 return;
607 // Delete existing TOC entries in case we're reloading the TOC.
608 var tocEntriesToRemove = [];
609 var i;
610 for (i = 0; i < toc.childNodes.length; i++) {
611 var entry = toc.childNodes[i];
612 if (entry.nodeName.toLowerCase() == 'div'
613 && entry.getAttribute("class")
614 && entry.getAttribute("class").match(/^toclevel/))
615 tocEntriesToRemove.push(entry);
617 for (i = 0; i < tocEntriesToRemove.length; i++) {
618 toc.removeChild(tocEntriesToRemove[i]);
621 // Rebuild TOC entries.
622 var entries = tocEntries(document.getElementById("content"), toclevels);
623 for (var i = 0; i < entries.length; ++i) {
624 var entry = entries[i];
625 if (entry.element.id == "")
626 entry.element.id = "_toc_" + i;
627 var a = document.createElement("a");
628 a.href = "#" + entry.element.id;
629 a.appendChild(document.createTextNode(entry.text));
630 var div = document.createElement("div");
631 div.appendChild(a);
632 div.className = "toclevel" + entry.toclevel;
633 toc.appendChild(div);
635 if (entries.length == 0)
636 toc.parentNode.removeChild(toc);
640 /////////////////////////////////////////////////////////////////////
641 // Footnotes generator
642 /////////////////////////////////////////////////////////////////////
644 /* Based on footnote generation code from:
645 * http://www.brandspankingnew.net/archive/2005/07/format_footnote.html
648 footnotes: function () {
649 // Delete existing footnote entries in case we're reloading the footnodes.
650 var i;
651 var noteholder = document.getElementById("footnotes");
652 if (!noteholder) {
653 return;
655 var entriesToRemove = [];
656 for (i = 0; i < noteholder.childNodes.length; i++) {
657 var entry = noteholder.childNodes[i];
658 if (entry.nodeName.toLowerCase() == 'div' && entry.getAttribute("class") == "footnote")
659 entriesToRemove.push(entry);
661 for (i = 0; i < entriesToRemove.length; i++) {
662 noteholder.removeChild(entriesToRemove[i]);
665 // Rebuild footnote entries.
666 var cont = document.getElementById("content");
667 var spans = cont.getElementsByTagName("span");
668 var refs = {};
669 var n = 0;
670 for (i=0; i<spans.length; i++) {
671 if (spans[i].className == "footnote") {
672 n++;
673 var note = spans[i].getAttribute("data-note");
674 if (!note) {
675 // Use [\s\S] in place of . so multi-line matches work.
676 // Because JavaScript has no s (dotall) regex flag.
677 note = spans[i].innerHTML.match(/\s*\[([\s\S]*)]\s*/)[1];
678 spans[i].innerHTML =
679 "[<a id='_footnoteref_" + n + "' href='#_footnote_" + n +
680 "' title='View footnote' class='footnote'>" + n + "</a>]";
681 spans[i].setAttribute("data-note", note);
683 noteholder.innerHTML +=
684 "<div class='footnote' id='_footnote_" + n + "'>" +
685 "<a href='#_footnoteref_" + n + "' title='Return to text'>" +
686 n + "</a>. " + note + "</div>";
687 var id =spans[i].getAttribute("id");
688 if (id != null) refs["#"+id] = n;
691 if (n == 0)
692 noteholder.parentNode.removeChild(noteholder);
693 else {
694 // Process footnoterefs.
695 for (i=0; i<spans.length; i++) {
696 if (spans[i].className == "footnoteref") {
697 var href = spans[i].getElementsByTagName("a")[0].getAttribute("href");
698 href = href.match(/#.*/)[0]; // Because IE return full URL.
699 n = refs[href];
700 spans[i].innerHTML =
701 "[<a href='#_footnote_" + n +
702 "' title='View footnote' class='footnote'>" + n + "</a>]";
708 install: function(toclevels) {
709 var timerId;
711 function reinstall() {
712 asciidoc.footnotes();
713 if (toclevels) {
714 asciidoc.toc(toclevels);
718 function reinstallAndRemoveTimer() {
719 clearInterval(timerId);
720 reinstall();
723 timerId = setInterval(reinstall, 500);
724 if (document.addEventListener)
725 document.addEventListener("DOMContentLoaded", reinstallAndRemoveTimer, false);
726 else
727 window.onload = reinstallAndRemoveTimer;
731 asciidoc.install();
732 /*]]>*/
733 </script>
734 </head>
735 <body class="article">
736 <div id="header">
737 </div>
738 <div id="content">
739 <div class="sect1">
740 <h2 id="_how_we_coordinate_embargoed_releases">How we coordinate embargoed releases</h2>
741 <div class="sectionbody">
742 <div class="paragraph"><p>To protect Git users from critical vulnerabilities, we do not just release
743 fixed versions like regular maintenance releases. Instead, we coordinate
744 releases with packagers, keeping the fixes under an embargo until the release
745 date. That way, users will have a chance to upgrade on that date, no matter
746 what Operating System or distribution they run.</p></div>
747 </div>
748 </div>
749 <div class="sect1">
750 <h2 id="_the_code_git_security_code_mailing_list">The <code>git-security</code> mailing list</h2>
751 <div class="sectionbody">
752 <div class="paragraph"><p>Responsible disclosures of vulnerabilities, analysis, proposed fixes as
753 well as the orchestration of coordinated embargoed releases all happen on the
754 <code>git-security</code> mailing list at &lt;<a href="mailto:git-security@googlegroups.com">git-security@googlegroups.com</a>&gt;.</p></div>
755 <div class="paragraph"><p>In this context, the term "embargo" refers to the time period that information
756 about a vulnerability is kept under wraps and only shared on a need-to-know
757 basis. This is necessary to protect Git&#8217;s users from bad actors who would
758 otherwise be made aware of attack vectors that could be exploited. "Lifting the
759 embargo" refers to publishing the version that fixes the vulnerabilities.</p></div>
760 <div class="sect2">
761 <h3 id="_audience_of_the_code_git_security_code_mailing_list">Audience of the <code>git-security</code> mailing list</h3>
762 <div class="paragraph"><p>Anybody may contact the <code>git-security</code> mailing list by sending an email
763 to &lt;<a href="mailto:git-security@googlegroups.com">git-security@googlegroups.com</a>&gt;, though the archive is closed to the
764 public and only accessible to subscribed members.</p></div>
765 <div class="paragraph"><p>There are a few dozen subscribed members: core Git developers who are trusted
766 with addressing vulnerabilities, and stakeholders (i.e. owners of products
767 affected by security vulnerabilities in Git).</p></div>
768 <div class="paragraph"><p>Most of the discussions revolve around assessing the severity of the reported
769 issue (including the decision whether the report is security-relevant or can be
770 redirected to the public mailing list), how to remediate the issue, determining
771 the timeline of the disclosure as well as aligning priorities and
772 requirements.</p></div>
773 </div>
774 <div class="sect2">
775 <h3 id="_communications">Communications</h3>
776 <div class="paragraph"><p>If you are a stakeholder, it is a good idea to pay close attention to the
777 discussions, as pertinent information may be buried in the middle of a lively
778 conversation that might not look relevant to your interests. For example, the
779 tentative timeline might be agreed upon in the middle of discussing code
780 comment formatting in one of the patches and whether or not to combine fixes
781 for multiple, separate vulnerabilities into the same embargoed release. Most
782 mail threads are not usually structured specifically to communicate
783 agreements, assessments or timelines.</p></div>
784 </div>
785 </div>
786 </div>
787 <div class="sect1">
788 <h2 id="_typical_timeline">Typical timeline</h2>
789 <div class="sectionbody">
790 <div class="ulist"><ul>
791 <li>
793 A potential vulnerability is reported to the <code>git-security</code> mailing list.
794 </p>
795 </li>
796 <li>
798 The members of the git-security list start a discussion to give an initial
799 assessment of the severity of the reported potential vulnerability.
800 We aspire to do so within a few days.
801 </p>
802 </li>
803 <li>
805 After discussion, if consensus is reached that it is not critical enough
806 to warrant any embargo, the reporter is redirected to the public Git mailing
807 list. This ends the reporter&#8217;s interaction with the <code>git-security</code> list.
808 </p>
809 </li>
810 <li>
812 If it is deemed critical enough for an embargo, ideas are presented on how to
813 address the vulnerability.
814 </p>
815 </li>
816 <li>
818 Usually around that time, the Git maintainer or their delegate(s) open a draft
819 security advisory in the <code>git/git</code> repository on GitHub (see below for more
820 details).
821 </p>
822 </li>
823 <li>
825 Code review can take place in a variety of different locations,
826 depending on context. These are: patches sent inline on the git-security list,
827 a private fork on GitHub associated with the draft security advisory, or the
828 git/cabal repository.
829 </p>
830 </li>
831 <li>
833 Contributors working on a fix should consider beginning by sending
834 patches to the git-security list (inline with the original thread), since they
835 are accessible to all subscribers, along with the original reporter.
836 </p>
837 </li>
838 <li>
840 Once the review has settled and everyone involved in the review agrees that
841 the patches are nearing the finish line, the Git maintainer, and others
842 determine a release date as well as the release trains that are serviced. The
843 decision regarding which versions need a backported fix is based on input from
844 the reporter, the contributor who worked on the patches, and from
845 stakeholders. Operators of hosting sites who may want to analyze whether the
846 given issue is exploited via any of the repositories they host, and binary
847 packagers who want to make sure their product gets patched adequately against
848 the vulnerability, for example, may want to give their input at this stage.
849 </p>
850 </li>
851 <li>
853 While the Git community does its best to accommodate the specific timeline
854 requests of the various binary packagers, the nature of the issue may preclude
855 a prolonged release schedule. For fixes deemed urgent, it may be in the best
856 interest of the Git users community to shorten the disclosure and release
857 timeline, and packagers may need to adapt accordingly.
858 </p>
859 </li>
860 <li>
862 Subsequently, branches with the fixes are pushed to the git/cabal repository.
863 </p>
864 </li>
865 <li>
867 The tags are created by the Git maintainer and pushed to the same repository.
868 </p>
869 </li>
870 <li>
872 The Git for Windows, Git for macOS, BSD, Debian, etc. maintainers prepare the
873 corresponding release artifacts, based on the tags created that have been
874 prepared by the Git maintainer.
875 </p>
876 </li>
877 <li>
879 The release artifacts prepared by various binary packagers can be
880 made available to stakeholders under embargo via a mail to the
881 <code>git-security</code> list.
882 </p>
883 </li>
884 <li>
886 Less than a week before the release, a mail with the relevant information is
887 sent to &lt;<a href="mailto:distros@vs.openwall.org">distros@vs.openwall.org</a>&gt; (see below), a list used to pre-announce
888 embargoed releases of open source projects to the stakeholders of all major
889 distributions of Linux as well as other OSes.
890 </p>
891 </li>
892 <li>
894 Public communication is then prepared in advance of the release date. This
895 includes blog posts and mails to the Git and Git for Windows mailing lists.
896 </p>
897 </li>
898 <li>
900 On the day of the release, at around 10am Pacific Time, the Git maintainer
901 pushes the tag and the <code>master</code> branch to the public repository, then sends
902 out an announcement mail.
903 </p>
904 </li>
905 <li>
907 Once the tag is pushed, the Git for Windows maintainer publishes the
908 corresponding tag and creates a GitHub Release with the associated release
909 artifacts (Git for Windows installer, Portable Git, MinGit, etc).
910 </p>
911 </li>
912 <li>
914 Git for Windows release is then announced via a mail to the public Git and
915 Git for Windows mailing lists as well as via a tweet.
916 </p>
917 </li>
918 <li>
920 Ditto for distribution packagers for Linux and other platforms:
921 their releases are announced via their preferred channels.
922 </p>
923 </li>
924 <li>
926 A mail to &lt;<a href="mailto:oss-security@lists.openwall.org">oss-security@lists.openwall.org</a>&gt; (see below for details) is sent
927 as a follow-up to the &lt;<a href="mailto:distros@vs.openwall.org">distros@vs.openwall.org</a>&gt; one, describing the
928 vulnerability in detail, often including a proof of concept of an exploit.
929 </p>
930 </li>
931 </ul></div>
932 <div class="paragraph"><p>Note: The Git project makes no guarantees about timelines, but aims to keep
933 embargoes reasonably short in the interest of keeping Git&#8217;s users safe.</p></div>
934 <div class="sect2">
935 <h3 id="_opening_a_security_advisory_draft">Opening a Security Advisory draft</h3>
936 <div class="paragraph"><p>The first step is to <a href="https://github.com/git/git/security/advisories/new">open
937 an advisory</a>. Technically, this is not necessary. However, it is the most
938 convenient way to obtain the CVE number and it gives us a private repository
939 associated with it that can be used to collaborate on a fix.</p></div>
940 </div>
941 <div class="sect2">
942 <h3 id="_notifying_the_linux_distributions">Notifying the Linux distributions</h3>
943 <div class="paragraph"><p>At most two weeks before release date, we need to send a notification to
944 &lt;<a href="mailto:distros@vs.openwall.org">distros@vs.openwall.org</a>&gt;, preferably less than 7 days before the release date.
945 This will reach most (all?) Linux distributions. See an example below, and the
946 guidelines for this mailing list at
947 <a href="https://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists">here</a>.</p></div>
948 <div class="paragraph"><p>Once the version has been published, we send a note about that to oss-security.
949 As an example, see <a href="https://www.openwall.com/lists/oss-security/2019/12/13/1">the
950 v2.24.1 mail</a>;
951 <a href="https://oss-security.openwall.org/wiki/mailing-lists/oss-security">Here</a> are
952 their guidelines.</p></div>
953 <div class="paragraph"><p>The mail to oss-security should also describe the exploit, and give credit to
954 the reporter(s): security researchers still receive too little respect for the
955 invaluable service they provide, and public credit goes a long way to keep them
956 paid by their respective organizations.</p></div>
957 <div class="paragraph"><p>Technically, describing any exploit can be delayed up to 7 days, but we usually
958 refrain from doing that, including it right away.</p></div>
959 <div class="paragraph"><p>As a courtesy we typically attach a Git bundle (as <code>.tar.xz</code> because the list
960 will drop <code>.bundle</code> attachments) in the mail to distros@ so that the involved
961 parties can take care of integrating/backporting them. This bundle is typically
962 created using a command like this:</p></div>
963 <div class="literalblock">
964 <div class="content">
965 <pre><code>git bundle create cve-xxx.bundle ^origin/master vA.B.C vD.E.F
966 tar cJvf cve-xxx.bundle.tar.xz cve-xxx.bundle</code></pre>
967 </div></div>
968 </div>
969 <div class="sect2">
970 <h3 id="_example_mail_to_a_href_mailto_distros_vs_openwall_org_distros_vs_openwall_org_a">Example mail to <a href="mailto:distros@vs.openwall.org">distros@vs.openwall.org</a></h3>
971 <div class="literalblock">
972 <div class="content">
973 <pre><code>To: distros@vs.openwall.org
974 Cc: git-security@googlegroups.com, &lt;other people involved in the report/fix&gt;
975 Subject: [vs] Upcoming Git security fix release
977 Team,
979 The Git project will release new versions on &lt;date&gt; at 10am Pacific Time or
980 soon thereafter. I have attached a Git bundle (embedded in a `.tar.xz` to avoid
981 it being dropped) which you can fetch into a clone of
982 https://github.com/git/git via `git fetch --tags /path/to/cve-xxx.bundle`,
983 containing the tags for versions &lt;versions&gt;.
985 You can verify with `git tag -v &lt;tag&gt;` that the versions were signed by
986 the Git maintainer, using the same GPG key as e.g. v2.24.0.
988 Please use these tags to prepare `git` packages for your various
989 distributions, using the appropriate tagged versions. The added test cases
990 help verify the correctness.
992 The addressed issues are:
994 &lt;list of CVEs with a short description, typically copy/pasted from Git's
995 release notes, usually demo exploit(s), too&gt;
997 Credit for finding the vulnerability goes to &lt;reporter&gt;, credit for fixing
998 it goes to &lt;developer&gt;.
1000 Thanks,
1001 &lt;name&gt;</code></pre>
1002 </div></div>
1003 </div>
1004 <div class="sect2">
1005 <h3 id="_example_mail_to_a_href_mailto_oss_security_lists_openwall_com_oss_security_lists_openwall_com_a">Example mail to <a href="mailto:oss-security@lists.openwall.com">oss-security@lists.openwall.com</a></h3>
1006 <div class="literalblock">
1007 <div class="content">
1008 <pre><code>To: oss-security@lists.openwall.com
1009 Cc: git-security@googlegroups.com, &lt;other people involved in the report/fix&gt;
1010 Subject: git: &lt;copy from security advisory&gt;
1012 Team,
1014 The Git project released new versions on &lt;date&gt;, addressing &lt;CVE&gt;.
1016 All supported platforms are affected in one way or another, and all Git
1017 versions all the way back to &lt;version&gt; are affected. The fixed versions are:
1018 &lt;versions&gt;.
1020 Link to the announcement: &lt;link to lore.kernel.org/git&gt;
1022 We highly recommend to upgrade.
1024 The addressed issues are:
1025 * &lt;list of CVEs and their explanations, along with demo exploits&gt;
1027 Credit for finding the vulnerability goes to &lt;reporter&gt;, credit for fixing
1028 it goes to &lt;developer&gt;.
1030 Thanks,
1031 &lt;name&gt;</code></pre>
1032 </div></div>
1033 </div>
1034 </div>
1035 </div>
1036 </div>
1037 <div id="footnotes"><hr /></div>
1038 <div id="footer">
1039 <div id="footer-text">
1040 Last updated
1041 2024-01-26 14:40:56 PST
1042 </div>
1043 </div>
1044 </body>
1045 </html>